From: Wietse Venema (no email)
Date: Tue Feb 01 2005 - 10:14:26 EST
Cami:
> Forrest Aldrich wrote:
> > A great example of where this is highly effective is the automated
> > spamming bots... last night, one of my servers got slammed with over
> > 170 different connections (all bots, presumably). ALL connections were
> > useless to them, and nothing got submitted (just a big syslog for me to
> > look at). That other server is running Sendmail-8.13.
> >
> > There are schools of thought against this tactic, but I digress... the
> > evidence that it works is clearly there.
> >
> > In either case, this could be accomplished in a "policy server", though
> > I'd just assume have a main.cf variable to trigger. (and I'd write it if
> > I were a programmer!).
>
> This is not possible in a policy server.
Hang on.... it only takes a tiny fix in the reject_unauth_pipelining
feature.
With the configuration and patch below, Postfix stops clients that
speak before the server has greeted them.
% telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
helo foo
mail from:<>
503 <localhost[127.0.0.1]>: Client host rejected: Improper use of SMTP command pipelining
Wietse
/etc/postfix/main.cf:
smtpd_delay_reject = no
smtpd_client_restrictions = check_policy_service inet:127.0.0.1:9999
inet:127.0.0.1:9999 policy script or equivalent:
sub smtpd_access_policy {
sleep(1);
return "reject_unauth_pipelining";
}
Postfix smtpd_check.c patch:
*** /var/tmp/postfix-2.2-20050131/src/smtpd/smtpd_check.c Sun Jan 30 19:57:35 2005
--- ./smtpd_check.c Tue Feb 1 10:11:15 2005
***************
*** 1285,1291 ****
if (state->client != 0
&& SMTPD_STAND_ALONE(state) == 0
! && vstream_peek(state->client) > 0
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| strcasecmp(state->where, "DATA") == 0)) {
return (smtpd_check_reject(state, MAIL_ERROR_PROTOCOL,
--- 1285,1292 ----
if (state->client != 0
&& SMTPD_STAND_ALONE(state) == 0
! && (vstream_peek(state->client) > 0
! || peekfd(vstream_fileno(state->client)) > 0)
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
|| strcasecmp(state->where, "DATA") == 0)) {
return (smtpd_check_reject(state, MAIL_ERROR_PROTOCOL,
|
|
|